Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method comprising: receiving, by a central processing unit (CPU), a first executable program instruction referencing a first memory address, wherein the first executable program instruction is a first augmented load instruction comprising a first permission value; responsive to receiving the first augmented load instruction, comparing, by the CPU, the first permission value to a second permission value, wherein the second permission value is associated with a first page table entry for the first memory address; and responsive to determining that the first permission value matches the second permission value, loading, into a register, contents of a memory location referenced by the first memory address.
This invention relates to memory access control in computing systems, specifically addressing security and permission management during data loading operations. The method involves a CPU executing an augmented load instruction that includes a permission value, which is compared against a permission value stored in a page table entry for the target memory address. If the values match, the CPU loads the contents of the memory location into a register. This approach enhances security by ensuring that only authorized memory accesses are permitted, preventing unauthorized data retrieval. The augmented load instruction is a specialized instruction that includes an explicit permission value, allowing fine-grained control over memory access permissions at the instruction level. The page table entry stores a permission value associated with the memory address, enabling the CPU to verify access rights before executing the load operation. This method improves security by enforcing permission checks at the hardware level, reducing the risk of unauthorized memory access. The invention is particularly useful in systems where secure memory access is critical, such as in operating systems, virtualization environments, or security-sensitive applications.
2. The method of claim 1 , further comprising: receiving, by the central processing unit (CPU), a second executable program instruction referencing a second memory address, wherein the second executable program instruction is a second augmented load instruction comprising a third permission value; responsive to receiving the second augmented load instruction, comparing, by the CPU, the third permission value to a fourth permission value, wherein the fourth permission value is associated with a second page table entry for the second memory address; and responsive to determining that the third permission value specified by the second augmented load instruction does not match the fourth permission value associated with the second page table entry, triggering an exception for the second augmented load instruction.
This invention relates to memory access control in computing systems, specifically enhancing security by validating memory access permissions at the instruction level. The problem addressed is the need for fine-grained control over memory access to prevent unauthorized data reads or writes, particularly in systems where traditional page-level permissions are insufficient. The method involves a central processing unit (CPU) executing an augmented load instruction that includes a permission value. The CPU checks this permission value against a corresponding permission value stored in a page table entry for the target memory address. If the values do not match, an exception is triggered, halting the operation. This ensures that only instructions with the correct permission level can access specific memory locations, providing an additional layer of security beyond standard memory protection mechanisms. The method also handles subsequent memory access attempts, where a second augmented load instruction referencing a different memory address is received. The CPU compares the permission value in this instruction to the value in the corresponding page table entry. If they do not match, an exception is triggered, preventing unauthorized access. This approach allows for dynamic and precise control over memory access permissions, reducing the risk of security vulnerabilities caused by improper memory access.
3. The method of claim 1 , wherein the first permission value comprises a two-bit read flag, a two-bit write flag, and a two-bit execute flag, each configured to encode values of either: true, false, or not applicable.
This invention relates to a method for managing access permissions in a computing system, specifically addressing the need for granular and flexible control over read, write, and execute operations. The method involves assigning permission values to resources, where each permission value includes a two-bit read flag, a two-bit write flag, and a two-bit execute flag. Each flag can encode three possible states: true (allow), false (deny), or not applicable (irrelevant). This design allows for more nuanced access control than traditional binary permission systems, accommodating scenarios where certain operations are not relevant to a resource. For example, a read-only file may have a "not applicable" state for the execute flag, while a script may require execute permissions but not write permissions. The method ensures that permissions are dynamically configurable, supporting complex access policies in systems where resources may have varying levels of relevance to different operations. The invention improves security and usability by reducing ambiguity in permission assignments and enabling more precise access control.
4. The method of claim 1 , wherein the first permission value comprises a read-only permission value.
A system and method for managing access permissions in a computing environment involves controlling data access based on permission values assigned to users or processes. The invention addresses the problem of unauthorized data access by implementing a permission-based control mechanism that restricts operations such as reading, writing, or executing data based on predefined permission levels. The method includes assigning a first permission value to a user or process, where this permission value determines the type of access allowed. In one embodiment, the first permission value is a read-only permission, meaning the user or process can only read the data but cannot modify or execute it. The system evaluates the permission value before granting access, ensuring that only authorized operations are performed. Additional permission values may include read-write, execute-only, or no-access, depending on the security requirements. The method enhances data security by enforcing strict access controls and preventing unauthorized modifications or executions. The invention is applicable in various computing environments, including cloud storage, file systems, and database management systems, where secure data handling is critical.
5. The method of claim 1 , wherein the second permission value associated with the page table entry comprises a read/write permission flag indicating whether the memory referenced by the memory address is read-only or read and write.
This invention relates to memory access control in computing systems, specifically improving security and efficiency in managing permissions for memory pages. The problem addressed is the need for fine-grained control over memory access permissions to prevent unauthorized modifications while maintaining performance. The invention provides a method for managing memory access permissions using page table entries (PTEs) in a virtual memory system. Each PTE includes a second permission value that specifies whether the referenced memory is read-only or read/write. This permission flag is dynamically adjustable, allowing the system to enforce strict access restrictions or permit modifications as needed. The method ensures that memory operations comply with the specified permissions, preventing unauthorized writes to protected memory regions. This approach enhances security by reducing the risk of memory corruption and unauthorized data access while maintaining efficient memory management. The invention is particularly useful in systems requiring strict access control, such as operating systems, virtualization environments, and security-critical applications. The dynamic adjustment of permissions allows for flexible memory usage while enforcing necessary security policies.
6. The method of claim 5 , wherein the first permission value comprises a read-only permission value; and wherein determining whether the first permission value specified in the augmented load instruction matches the second permission value associated with the page table entry comprises determining that the read/write permission flag is set to zero.
This invention relates to memory access control in computing systems, specifically a method for enforcing read-only permissions during memory operations. The problem addressed is ensuring secure and controlled access to memory pages, preventing unauthorized modifications while allowing read operations. The method involves checking permission values during memory access. A first permission value, set to read-only, is compared against a second permission value stored in a page table entry. The comparison determines whether a read/write permission flag in the page table entry is set to zero, indicating read-only access. If the flag is zero, the read-only permission is confirmed, allowing the memory operation to proceed. If the flag is not zero, the operation is denied, preventing unauthorized writes. The method ensures that memory pages marked as read-only cannot be modified, enhancing system security. It integrates with existing memory management systems by leveraging page table entries, which store metadata about memory pages, including access permissions. The comparison process is performed during memory access, ensuring real-time enforcement of permissions. This approach is particularly useful in systems requiring strict access control, such as operating systems, virtual machines, or secure computing environments.
7. The method of claim 1 , wherein the first executable program instruction is a part of implements a bytecode interpreter.
A bytecode interpreter is a software component that executes bytecode instructions, which are low-level, platform-independent instructions generated from higher-level programming languages. A common challenge in bytecode interpretation is efficiently managing and executing these instructions while ensuring compatibility across different hardware and software environments. This invention addresses this problem by integrating a specific executable program instruction within the bytecode interpreter to enhance its functionality. The instruction is designed to optimize the execution of bytecode, potentially improving performance, reducing resource usage, or enabling new features. The interpreter processes the bytecode by decoding and executing the instruction, which may involve interacting with other components of the interpreter or the underlying system. The method ensures that the instruction is correctly interpreted and executed, maintaining compatibility with existing bytecode standards while introducing improvements. This approach allows developers to leverage the interpreter's capabilities more effectively, supporting a wider range of applications and use cases. The invention is particularly useful in environments where bytecode execution is critical, such as virtual machines, embedded systems, or cross-platform applications.
Unknown
October 6, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.